There are three core areas upon which Directors should focus their attention to help establish and maintain an effective compliance program. They are: (1) structure, (2) culture, (3) risk management.
This area consists of questions which will aid in determining the fundamental sense of a company’s overall compliance program. The questions should begin with the basics of the program through to how the program operates in action. Some of the structural questions Board members should ask are the following.
- Who oversees the operation of the program?
- What is in the Code of Conduct? Is each Board member aware of corporate standards and procedures?
- How are complaints being received?
- Who conducts investigations and acts on the results?
- What corporate resources are being devoted to the compliance and ethics program?
- How much money is allocated to the program?
- What types of training is required? How effective is it?
- Have any compliance failures been detected? If so, how was such detection made?
- If a company’s compliance program is less mature, what are the charter compliance documents?
- If a company’s compliance program is more mature, there should be queries regarding the roles of the General Counsel vs. a Chief Compliance Officer. What is the CCO reporting structure?
This area of inquiry should focus on the culture of the organization regarding compliance. Board members should have an understanding of what message is being communicated not only from senior management but also middle management. Equally important, the Board needs to understand what message is being heard at the lowest levels within the company. Some of the cultural questions Board members should ask are the following.
- When did the company last conduct a survey to measure the corporate culture of compliance?
- Is it time for the company to resurvey to measure the corporate culture of compliance?
- If a survey is performed, what are the results? Have any deficiencies been demonstrated? If so, what is the action plan going forward to remedy such deficiencies?
- Did any compliance investigations arise from a cultural problem?
- Regardless of any survey results, what can be done to improve the culture of compliance within the company?
- If there were any acquisitions, were they analyzed from a compliance culture perspective?
- Are there any M&A deals on the horizon, have they been reviewed from the compliance perspective?
Risk Management Questions
Board members need to understand the company’s process being used to identify emerging risks, their evaluation and management. Such risk analysis would be broader than simply a compliance risk assessment and should be tied to other broader corporate matters.
- What is the risk assessment process?
- How effective is this risk assessment process? Is it stale?
- Who is involved in the risk assessment process?
- Does the risk assessment process take into account any new legal or compliance best practices developments?
- Are there any new operations that pose substantial compliance risks for the company?
- Is the company tracking enforcement trends? Are any competitors facing enforcement actions?
- Has the company moved into any new markets which impose new or additional compliance risks?
- Has the company developed any new product or service lines which change the company’s risk profile?
Three Key Takeaways
- A Board of Directors should inquire into the structural component of the compliance program as it will aid in determining the fundamental sense of a company’s overall compliance program.
- Cultural questions should be asked to garner an understanding of what message is being communicated not only from senior management but also middle management.
- Risk management questions should be asked to understand the company’s process being used to identify emerging risks, their evaluation and management.